Cisco Network Insider: Three Ways to Secure your Network

11© 2016 Cisco and/or its affiliates. All rights reserved.

3 Ways to Secure Your Network

Presenters: Robb Boyd, Ziad Sarieddine, Beth Barach, Player Pate, Guy Telner

June 14, 2016


What is on my network and why does it matter?

3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Stop and contain threats

What visibility can help you do

See and share rich user and device details

Control all access throughout the network

from one place


ISE is a powerful visibility and control technology

Network ResourcesAccess Policy

Traditional Cisco TrustSec®

BYOD Access

Threat Containment

Guest Access

Role-BasedAccess

Identity Profilingand Posture

A centralized security solution that automates context-aware access to network resources and shares contextual data

NetworkDoor

Physical or VM

ISE pxGridController

Who

Compliant

What

When

Where

How

Context

Threat (New!)Vulnerability (New!)

Threat Score


Coffee break


I have identity & device!I need geo-location & MDM…

I have application info!I need location & device-type

I have location!I need app &

identity…

ISE

I have sec events!I need identity &

device…

I have MDM info!I need location…

ISE pxGridOpen* sharing to get answers faster. Control to stop threats

ISEpxGrid

Any-Any Sharing• Publish• Subscribe

ISE Sharing• Identity Context

ISE Network Control• Adaptive Network

Control

* IETF Standards Track: Managed Incident Lightweight Exchange (MILE)


Switch Router

Stealthwatch

WirelessAD

pxGridISENetwork

Making visibility more effective through sharing1. Identify what it is:

ISE creates identity context: user, device type, posture, authorization level, location, threat score?

2. Share the identity contextISE shares with behavioral analysis technology

“It looks like Kevin on a Lenovo X1 Carbon MS Laptop and he’s clean.”

“Hey ISE, let’s put Kevin in quarantine until he cleans up his act”

“Looks like Kevin’s laptop has been infected with malware.”

3. Watch the behaviorsMonitor device behaviors for anomalies

4. Stop bad things Take action to contain a device through ISE using the network as an enforcer

“Hey Stealthwatch, here’s the detail on that IP address you’re asking about.”

“Roger that Stealthwatch. Hey network, put Kevin into quarantine until I tell you to let him back on.”


Cisco Stealthwatch and Cisco ISE

pxGrid

Real-Time Visibility into All Network Layers• Data intelligence throughout network• Discovery of assets• Network profile• Security policy monitoring• Anomaly detection• Accelerated incident response

Cisco® Identity Services Engine Mitigation Action

Context InformationNetFlow

Cisco Stealthwatch


Cisco Stealthwatch and ISE Integration


Stealthwatch and ISE Integration


Visibility Through NetFlow10.1.8.3

172.168.134.2

InternetFlow Information PacketsSOURCE ADDRESS 10.1.8.3

DESTINATION ADDRESS 172.168.134.2

SOURCE PORT 47321

DESTINATION PORT 443

INTERFACE Gi0/0/0

IP TOS 0x00

IP PROTOCOL 6

NEXT HOP 172.168.25.1

TCP FLAGS 0x1A

SOURCE SGT 100

: :

APPLICATION NAME NBAR SECURE-HTTP

RoutersSwitches

Visibility into every network conversation:• Every record • Every device• Everywhere


Conversational Flow Record

• Highly scalable (enterprise-class) collection

• High compression => long-term storage• Months of data retention

When Who

Where

WhatWho

Security group

More context


Behavioral and Anomaly Detection ModelBehavioral Algorithms Are Applied to Build “Security Events”

SECURITYEVENTS (94 +)

ALARMCATEGORY RESPONSE

Addr_Scan/tcpAddr_Scan/udpBad_Flag_ACK**Beaconing HostBot Command Control ServerBot Infected Host - Attempted Bot Infected Host - SuccessfulFlow_Denied..ICMP Flood..Max Flows InitiatedMax Flows Served.Suspect Long FlowSuspect UDP ActivitySYN Flood

Concern

Exfiltration

C&C

Recon

Data hoarding

Exploitation

DDoS target

Alarm table

Host snapshot

Email

Syslog / SIEM

Mitigation

COLLECT AND ANALYZE FLOWS

FLOWS


Cisco Stealthwatch Demo - Dashboard


List of Alarms for Data Exfiltration

Alarm Triggers


View of Data Exfiltration Host and Traffic


Data Exfiltration Query


Data Exfiltration Traffic Details


Stealthwatch for Macro-Level VisibilityFight advanced threats with actionable intelligence and analytics

• Obtain comprehensive, scalable enterprise visibility and security context

• Gain real-time situational awareness of traffic

• Benefit from network segmentation

• Detect and analyze network behavior anomalies

• Easily detect behaviors linked to advanced persistent threats (APTs), insider threats, distributed denial-of-service (DDoS) attacks, and malware

• Collect and analyze holistic network audit trails

• Achieve faster root cause analysis

• Conduct thorough forensic investigations

• Accelerate network troubleshooting and threat mitigation

• Respond quicklyto threats bytaking action to quarantine through

Cisco® Identity Services Engine

• Continuously improve enterprise security posture

Monitor Detect Analyze Respond


Visibility from the Core to the Edge


Cisco Defense Orchestrator: Security Policy Management Simplified

Policy change management

Policy modeling, analysis and optimization

Policy monitoring and

reporting

Scalable orchestration of changes

Simple searchReports Notifications

Security policy management

• Import from offline• Discover direct from

device

Device onboarding


Next Steps For further information on

Technology 1 Technology 2 Technology 3

Please visit the Cisco Security page: http://www.cisco.com/c/en/us/products/security/index.html

Register for the next event in the Cisco Network Insider series “Cisco Mobility for Hospitality” on June 28 at 10am PT/ 1pm ET

https://grs.cisco.com/grsx/cust/grsEventSite.html?EventCode=14207&LanguageId=1&KeyCode=

Thank you for your participation!

http://www.cisco.com/c/en/us/products/security/index.html

http://www.cisco.com/c/en/us/products/security/index.html




Check us out on cisco.com/go/securityto learn more about:

ISE Stealthwatch Cisco Defense Orchestrator

Cisco Network Insider: Three Ways to Secure your Network

Technology

Transcript of Cisco Network Insider: Three Ways to Secure your Network